Hardening the Browser: Protecting Patron Privacy on the Internet

Article excerpt

When Eric Phetteplace asked me if browser privacy would be an appropriate topic for the Accidental Technologist column, I asked how soon he could write it. Even though he graduated in May 2011 and moved to start a new job, he presented me with the column this fall. In "Hardening the Browser," Eric poses some questions for consideration about how involved libraries should be in training our patrons on Internet privacy. He also provides a lot of practical how-to information that will be useful for your library and for your personal web browsing.--Editor

Article 3 of the current Code of Ethics of the American Library Association states that "[ALA members] protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted." This noble maxim has led many librarians to be advocates for the right to privacy, even to the point of resisting federal legislation such as the USA PATRIOT Act. However, merely protecting a patron's circulation records has become but a small hillock of the privacy terrain in our modern information environment. As more and more time is spent accessing and producing content online, libraries need to position themselves to offer Internet privacy to patrons as well.

The much-publicized "Firesheep" add-on for Mozilla Firefox highlights the need for education surrounding privacy on the Internet. (1) While traffic sent over HTTP on a public wireless network has always been vulnerable, Firesheep makes stealing others' log-in credentials a trivial procedure. Simply open Firefox, click a button to start capturing log-in credentials from others on the same public network, and soon you can post to their social media accounts, such as Facebook. While Firesheep runs only on Firefox, it can exploit unprotected users in any other browser. The add-on is not in Mozilla's official directory of enhancements for Firefox and it was created as a proof of concept, meant to highlight vulnerabilities that already exist and not to create further ones. However, there also is nothing to stop malicious users from employing Firesheep to their own ends.

While discussions around Firesheep typically note that public Wi-Fi hot spots occur in coffee shops or airports, many libraries also provide wireless networks. As of 2010, 85.7 percent of public libraries offered wireless Internet access, and another 5.9 percent planned to make wireless connections available within a year. (2) As such, it is the responsibility of librarians to educate users of the risks and insulate them against potential attackers. While not all librarians are able to secure their institution's networks or even choose the software settings on their public computers, simply spreading awareness of online privacy problems and potential solutions is a major step forward in an increasingly important area of information literacy. This column will detail three layers where protections can be implemented: in the choice of an Internet browser, the user settings within the software, and, finally, add-ons that extend the browser's functionality, providing additional security beyond the default architecture.

CHOOSING THE RIGHT BROWSER

The easiest defense is at the level of the Internet browser itself. Selecting software that has historically proven to be secure, such as Mozilla Firefox or Google Chrome, immediately places your users in a safer arena. On the other hand, Internet Explorer is a notoriously insecure piece of software, and Apple's Safari browser has proven to be similarly vulnerable. Both browsers were hacked on the first day of the 2011 "Pwn2Own" event at the CanSecWest computer security conference, while no participants even attempted to hack Firefox and Chrome. (3) It should not have to be mentioned, but Internet Explorer 6 still holds a modicum of marketshare in the United States and is regarded by some as the most insecure piece of software ever developed. …